SEC hits four companies with fines for misleading disclosures around SolarWinds hack

The Securities and Exchange Commission said it has reached a settlement with four companies for making materially misleading statements about the impact of the 2020 SolarWinds Orion software breach on their business.

The regulator on Tuesday charged the four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies and Mimecast Limited — with minimizing the compromise or describing the damage to internal systems and data as  theoretical, despite knowing substantial amounts of information was stolen.

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said in a statement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

As part of the agreement, the companies have agreed to pay fines without acknowledging wrongdoing. Unisys will pay $4 million, Avaya $1 million, Check Point $995,000 and Mimecast $990,000.

According to the SEC, by December 2020 Avaya already knew that at least one cloud server holding customer data and another server for their lab network had been breached by the hackers working for the Russian government. Later that month, a third-party service provider alerted the company that its cloud email and file-sharing systems had also been breached, likely by the same group and through means other than Orion.

A follow-up investigation identified more than 145 shared files accessed by the actor, along with evidence that the group monitored the emails of the company’s cybersecurity incident responders.

But in a February 2021 quarterly report, Avaya described the impact in far more muted terms, saying the evidence showed the threat actors accessed only “a limited number of company email messages” and there was “no current evidence of unauthorized access to our other internal systems.

Unisys’ investigation uncovered that, following the discovery of a device running Orion, multiple systems — seven network and 34 cloud-based accounts, including some with administrative privileges — were accessed over 16 months. The threat actors also repeatedly connected to their network and transferred more than 33 gigabytes of data.

But in annual reporting to the SEC, Unisys “inaccurately described the existence of successful intrusions and the risk of unauthorized access to data and information in hypothetical terms, despite knowing that the above-described intrusions had actually happened and in fact involved unauthorized access and exfiltration of confidential and/or proprietary information,” according to the agency’s cease and desist order.

The company also appeared to have no formal procedures in place for identifying and communicating high-risk breaches to executive leadership for disclosure.

Similar investigations by Check Point in December 2020 found two infected servers and evidence of the threat actor moving throughout its corporate network and installing malicious software. Still, in SEC filings in 2021 and 2022, Check Point described its level of general cybersecurity risk using near-identical language from past reports, despite knowing it had been victimized by a Russian advanced persistent threat group in a wide-ranging global hacking campaign.

Cloud provider Mimecast discovered evidence the hackers used a stolen authentication certificate to breach five customer cloud platforms, access internal emails and stole code for an encrypted database holding credentials and server configuration information for tens of thousands of customers.

While Mimecast publicly disclosed some of these impacts, its reporting to the SEC omitted critical details “including information regarding the large number of impacted customers and the percentage of code exfiltrated by the threat actor.”

Avaya spokesperson Julianne Embry said the company is “pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls.”

Mimecast spokesperson Tarrah Ledoux told CyberScoop that the company believes it complied with disclosure and regulatory obligations and “made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected.”

Check Point spokesperson Gil Messing said the company “investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed.”

“Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world,” Messing said in a statement.   

Unisys didn’t respond to a request for comment from CyberScoop by the time of publication.

U.S. officials and private threat intelligence firms attribute the SolarWinds Orion compromise  to the Russian Foreign Intelligence Service (SVR) as part of a long-term  espionage campaign. The SVR accessed SolarWinds’ network and corrupted a legitimate Orion software update, which was then sent out to thousands of public- and private-sector organizations across the country who used the software for IT management.

At least nine federal agencies are known to have been breached in the campaign, along with nearly 100 private-sector organizations.